Chapter 1 Ethical Hacking Overview

Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do legally as an ethical hacker  Describe what you cannot do as an ethical hacker

Hands-On Ethical Hacking and Network Defense3  Ethical hackers  Employed by companies to perform penetration tests  Penetration test  Legal attempt to break into a company’s network to find its weakest link  Tester only reports findings, does not solve problems  Security test  More than an attempt to break in; also includes analyzing company’s security policy and procedures  Tester offers solutions to secure or protect the network

Hands-On Ethical Hacking and Network Defense4  Hackers  Access computer system or network without authorization  Breaks the law; can go to prison  Crackers  Break into systems to steal or destroy data  U.S. Department of Justice calls both hackers  Ethical hacker  Performs most of the same activities but with owner’s permission

Hands-On Ethical Hacking and Network Defense5  Script kiddies or packet monkeys  Young inexperienced hackers  Copy codes and techniques from knowledgeable hackers  Experienced penetration testers write programs or scripts using these languages  Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL, and many others  Script  Set of instructions that runs in sequence

 This class alone won’t make you a hacker, or an expert  It might make you a script kiddie  It usually takes years of study and experience to earn respect in the hacker community  It’s a hobby, a lifestyle, and an attitude  A drive to figure out how things work Hands-On Ethical Hacking and Network Defense6

7  Tiger box  Collection of OSs and hacking tools  Usually on a laptop  Helps penetration testers and security testers conduct vulnerabilities assessments and attacks

Hands-On Ethical Hacking and Network Defense8  White box model  Tester is told everything about the network topology and technology  Network diagram  Tester is authorized to interview IT personnel and company employees  Makes tester’s job a little easier

 From ratemynetworkdiagram.com (Link Ch 1g) Hands-On Ethical Hacking and Network Defense9

10

Hands-On Ethical Hacking and Network Defense11  Black box model  Company staff does not know about the test  Tester is not given details about the network ▪ Burden is on the tester to find these details  Tests if security personnel are able to detect an attack

Hands-On Ethical Hacking and Network Defense12  Gray box model  Hybrid of the white and black box models  Company gives tester partial information

Hands-On Ethical Hacking and Network Defense13  Certification programs available in almost every area of network security  Basics:  CompTIA Security+ (CNIT 120)  Network+ (CNIT 106 or 201)

14  But see Run Away From The CEH Certification  Link Ch 1e on my Web page

15  Designated by the Institute for Security and Open Methodologies (ISECOM)  Uses the Open Source Security Testing Methodology Manual (OSSTMM)  Test is only offered in Connecticut and outside the USA, as far as I can tell ▪ See links Ch 1f and Ch 1h on my Web page

16  Issued by the International Information Systems Security Certifications Consortium (ISC 2 )  Usually more concerned with policies and procedures than technical details  Web site 

Hands-On Ethical Hacking and Network Defense17  SysAdmin, Audit, Network, Security (SANS)  Offers certifications through Global Information Assurance Certification (GIAC)  Top 20 list  One of the most popular SANS Institute documents  Details the most common network exploits  Suggests ways of correcting vulnerabilities  Web site  (links Ch 1i & Ch 1j)

Hands-On Ethical Hacking and Network Defense18  Laws involving technology change as rapidly as technology itself  Find what is legal for you locally  Laws change from place to place  Be aware of what is allowed and what is not allowed

Hands-On Ethical Hacking and Network Defense19  Tools on your computer might be illegal to possess  Contact local law enforcement agencies before installing hacking tools  Written words are open to interpretation  Governments are getting more serious about punishment for cybercrimes

Hands-On Ethical Hacking and Network Defense20

Hands-On Ethical Hacking and Network Defense21  Some states deem it legal  Not always the case  Federal Government does not see it as a violation  Allows each state to address it separately  Read your ISP’s “Acceptable Use Policy”  IRC “bots” may be forbidden  Program that sends automatic responses to users  Gives the appearance of a person being present

Hands-On Ethical Hacking and Network Defense22 (link Ch 1k)

Hands-On Ethical Hacking and Network Defense23  Federal computer crime laws are getting more specific  Cover cybercrimes and intellectual property issues  Computer Hacking and Intellectual Property (CHIP)  New government branch to address cybercrimes and intellectual property issues

Hands-On Ethical Hacking and Network Defense24

Hands-On Ethical Hacking and Network Defense25  Accessing a computer without permission is illegal  Other illegal actions  Installing worms or viruses  Denial of Service attacks  Denying users access to network resources  Be careful your actions do not prevent customers from doing their jobs

 Ch 1l1: Lycos starts anti-spam screensaver plan: Dec 2, 2004  Ch 1l2: Lycos Pulls Anti-Spam 'Vigilante' Campaign -- Dec 3, 2004  Ch 1l3: Lycos's Spam Attack Network Dismantled -- Spammers sent the DOS packets back to Lycos -- Dec 6, 2004 Hands-On Ethical Hacking and Network Defense26

 Ch 1m: Blue Frog begins its "vigilante approach" to fight spam -- July, 2005  Ch 1n: Russian spammer fights back, claims to have stolen Blue Frog's database, sends threating -- DOS attack in progress -- May 2, 2006  Ch 1o: Blue Frog compromised and destroyed by attacks, urgent instructions to uninstall it, the owners have lost control -- May 17, 2006 Hands-On Ethical Hacking and Network Defense27

 Ch 1p: Call for help creating distributed, open-source Blue Frog replacement -- May 17, 2006  Not in textbook, see links on my page (samsclass.info) Hands-On Ethical Hacking and Network Defense28

Hands-On Ethical Hacking and Network Defense29  Using a contract is just good business  Contracts may be useful in court  Books on working as an independent contractor  The Computer Consultant’s Guide by Janet Ruhl  Getting Started in Computer Consulting by Peter Meyer  Internet can also be a useful resource  Have an attorney read over your contract before sending or signing it

Hands-On Ethical Hacking and Network Defense30  What it takes to be a security tester  Knowledge of network and computer technology  Ability to communicate with management and IT personnel  Understanding of the laws  Ability to use necessary tools